Domain Admin issues

Hi,

I have a domain which has 1500 machines.all the machines are into the domain.My question is when we add the machine into the domain will it add Domain Admin into the group which is in as administrators.if yes how do we remove those rights from all mac and will there be any problems?

Yes, when you join the domain, Domain Admins is added to local Administrators, Domain Users is added to local Users.
The rest of your question depends heavily on why you'd want to remove that, and what you use your systems for?
If you'll ever need work done on the system by an Admin, they'd need to be able to login locally. That means you either set the same local Admin password for all 1500 devices, or you remember 1500 passwords...

Domain Admin by default is member of local administrators.
You can remove that either manually or via "restricted group" in group policy, or a script
removing domain admin out of administrators should not be a problem, but of course, domain admins will lose permissions on those boxes. I would like to leave this setting alone, though. Because Domain Admin can do virtually whatever they want in the domain, including add themselves back into the local group. So there is not point to bother removing them.

If you have concerns, rule number one is to grant domain admin only to the people your trust, keep the group as small as possible.

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Alright - if you have domain 'user' JohnSmith. He can be set to log on to 'his' computer since he's a member of the Domain Users group (which is a member of the local Users group on that computer).

If JimBob is a Domain Admin and he tries to log on to JohnSmith's computer to provide support (whether he walks up to the PC or connects remotely) he will not be able to log onto that device, or at least perform administrative functions if he does not, in some way, authenticate as an Administrator. He has two options for that: Log in as the local Administrator account on that computer (or a 'copy' of the local Admin) or log onto the domain using his Domain Admin credentials which (if left at the default) would give him local Administrative rights since Domain Admins is by default in the local Administrators group.

>>The management says that why have we given Domain admin rights to end users.
what? can you explain what you mean by this? your end users should NOT be in the domain admin group.

remember, their are local admins, local users, domain admins and domain users,, all 4 of these groups are completely different. Their names are pretty self-explainatory as to what each group can/cannot do.

Domain Admins by default are considered "Local Administrators" on all computers in the domain. Because of this they can pretty much do whatever they want throughout the domain. By taking the "Domain Admins" group out of the "Local Administrators" group on every computer, you can potentially lose the ability to manage the computers on the domain.

"Local Administrators" have the ability to install applications, reset passwords, add-remove computers from the domain, and so on. If the "Domain Admins" group looses the "Local Administrator" access to the computer, you will have to remember at least 1 "Local Administrator" account on each computer. Best practices for this is to have a common username and password on each system that is tightly controlled otherwise you are going to have to remember 1500 passwords and usernames if you have 1500 computers in your network. The problem with doing this is that other "Local Administrators" on the computer have the ability to reset passwords for other "Local Administrators"

By have a "Domain Admin" having "Local Administrators" access to all computers, other "Local Administrators" cannot reset "Domain Passwords" (because they are saved on the domain outside the local computers control) and you can use a common username password on each system. Added benifit to doing this method is that when a domain admin password becomes comprimised, it can be easily changed by simply going to Active Directory (or whatever your using) and resetting that particular Domain Admin account (best practice is to change your password often before it becomes comprimised.)

>>My question is simple if i remove the domain admin from a machine what will happen.Problem that we face

that means that nobody logged in with an account that is a member of the 'domain admins' group will be able to manage the local computer. bascially you are taking your ability to manage the PCs away from yourself. If you do that, then the only way you can do any maintenance on any PC is to log in with the LOCAL admin account. I would highly recommend not doing this. It sounds like your 'management' is trying to manage the IT department and they don't know what they are doing. It is your job as a network manager/admin to manage the network, not theirs.

Featured Post

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.